Safety instrumented systems: Tips from the trenches: Part II

The two-part installment introduces safety instrumented systems (SIS) and outlines specific tips on designing, developing, and verifying SIS applications.

By Jay Griffin August 4, 2015

Part one of this article outlined the purpose and application of the safety instrumented system (SIS) as well as specific nuances with the safety integrity layer (SIL) calculations and general tips to consider when designing, developing and verifying a safety instrumented system. Keep in mind that the SIS is used for safety, not basic control. While the basic process control system (BPCS) is the workhorse of automation, the SIS is the last line of defense for the process and intended as a critical shutdown system. This second and final installment of the article wraps up by exploring tips for SIS hardware and the control system interface.

SIS I/O

  • If possible, use transmitters instead of switches in the SIS.  Transmitters offer better reliability, diagnostics and easier maintenance and testing.  If multiple transmitters are used in a safety function, their values can also be compared against one another providing valuable diagnostic information.  These diagnostics can also lower the probability of failure on demand (PFD) in the safety integrity layer (SIL) calculation.
     
  • If SIS I/O conditioning components (isolators, splitters, barriers, relays, etc.) are used, the PFD of each component has to be incorporated into the SIL calculation for the safety function that uses it.
  • Only I/O that is used in an SIS safety function should be wired to the SIS.  If it is not used in a safety function, it has no business being there.  For instance, if the SIS closes a block valve, only the solenoid should be wired to the SIS.  The limit switches should be wired to the BPCS and can be used to indicate position status in the accompanying BPCS valve module.  The limit switches should only be wired to the SIS if they are used as initiating devices in another safety function.
  • An analog control valve should never be used as the sole shut-off device in a safety function.  If there is not a discrete quarter-turn block valve downstream of the control valve, then one should be installed and wired to the SIS.  Then, a solenoid should be installed on the air line to the analog control valve positioner and wired to the SIS as well.  The SIS safety function will then close the block valve and the control valve at the same time.
  • As a benchmark for estimates, approximately 10% of the total I/O in a new system will belong to the SIS.  However, the true number of SIS I/O cannot be determined until a full process hazard analysis (PHA) has been performed on the entire process.

BPCS/SIS Interface

  • All SIS I/O should be repeated to the BPCS (via Modbus or some other communication link) and integrated into standard BPCS controls so everything is available to the operator as a cohesive system.  However, SIS-controlled devices should be indicated as such on the BPCS graphics.
  • All SIS interlocks should also be repeated to the BPCS and shown in the interlock faceplate for the appropriate SIS-controlled device.  They should also be identified as SIS interlocks.
  • An SIS initiating device that is repeated to the BPCS (even if it is hardwired between the two systems) cannot be used for a PHA-credited BPCS interlock.  This is because the PHA is already claiming one or more credits for an SIS interlock using this instrument, and the single instrument cannot provide credits for two different layers of protection.
  • If an SIS analog input is also used for control in the BPCS and the BPCS and SIS are not an integrated system (i.e. the two systems communicate via Modbus or a similar interface), then the signal should be wired to BPCS I/O as well.  This can be done by wiring the instrument to the SIS and then wiring an SIS analog output to a BPCS analog input and passing the signal through.  If this is not possible (some SIS manufacturers do not provide analog output I/O), use a SIL-rated splitter and split the incoming 4-20ma signal to both the SIS and BPCS.  However, if this is done, the PFD of the splitter will have to be incorporated into the SIL calculation of the safety function.
  • For block valves that are controlled by the operator and the SIS, there are two approaches: (1) Have two solenoids in series (one for the BPCS and another for the SIS) for each valve.  The SIS solenoid will be energized if there are no SIS interlocks, and the BPCS solenoid will be controlled by the operator.  (2) Have a single solenoid that is wired to the SIS.  When the operator tries to open the valve, the BPCS will send a request to the SIS (either via a communication bus or hardwired I/O).  If the quality of the BPCS request is good, the SIS will energize the solenoid if all of the SIS interlocks for the valve are clear.
  • Individual initiating devices in a safety function can be bypassed in the SIS, and the bypass method used must be described in the safety requirement specification (SRS) of each safety instrumented function (SIF).  Some plants allow an SIS bypass to be performed from an operator graphic if a password is entered or a locked key-switch (wired to SIS I/O) is unlocked.  Other plants will only allow bypasses to be performed by an engineer from within the SIS configuration.  I prefer the latter method.  If an operator needs to bypass an SIS safety function frequently, it needs to be redesigned.
  • After a safety function trips and clears, it can either automatically reset itself or require a manual operator reset (like bypasses, the reset method must be defined in the SRS).  The two most common methods of manual resets are: (1) Reset each final device affected by the SIF individually.  If a SIF trips multiple devices, the operator has to call up each faceplate and press a reset button before the plant can be brought back online.  (2) Reset the SIF itself which will release all final devices interlocked by it (unless they are affected by another active SIF).  I prefer the latter method, and it has been my experience that the majority of plants do as well.
  • The SIS should be completely separate and independent from the BPCS.  This means hardware and software, cabinets, initiating and final devices, wiring and engineering access.  While the BPCS can read information from the SIS to display on operator graphics, the BPCS must not be able to adversely affect the operation of the SIS.  Any data (setpoints, limits, etc.) passed from the BPCS to the SIS should initially be placed in a holding area in the SIS.  Then, the data should only be used by the SIS if the BPCS / SIS communications link is healthy, the BPCS process writing the data is running fault-free, and the BPCS data passes both quality and limit checks inside the SIS.

In this series, we have presented some basic tips for designing, developing and verifying a safety instrumented system and have pointed out some crucial tips learned from real-world experience to ensure your SIS does what it is supposed to do – protect life and limb as that last line of defense separate from the control system.  

This post was written by Jay Griffin. Jay is a principal engineer at MAVERICK Technologies, a leading automation solutions provider offering industrial automation, strategic manufacturing, and enterprise integration services for the process industries. MAVERICK delivers expertise and consulting in a wide variety of areas including industrial automation controls, distributed control systems, manufacturing execution systems, operational strategy, business process optimization and more.

MAVERICK Technologies is a CSIA member as of 7/20/2015